[NRL-1922] Re-organise all bucket policies to satistfy sonarqube

mattdean3-nhs · mattdean3-nhs · commit a0bccf66cbaa · 2026-03-11T15:38:34.000Z
diff --git a/terraform/account-wide-infrastructure/dev/aws-backup.tf b/terraform/account-wide-infrastructure/dev/aws-backup.tf
@@ -3,37 +3,20 @@ resource "aws_s3_bucket" "backup_reports" { # NOSONAR (S6258) - Logging not requ
   bucket_prefix = "${local.prefix}-backup-reports"
 }
 
-resource "aws_s3_bucket_public_access_block" "backup_reports" {
-  bucket = aws_s3_bucket.backup_reports.id
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "backup_reports" {
-  bucket = aws_s3_bucket.backup_reports.bucket
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
+resource "aws_s3_bucket_policy" "backup_reports_https_only" {
   bucket = aws_s3_bucket.backup_reports.id
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Id      = "backup_reports_bucket_policy"
+    Id      = "backup_reports_https_only_policy"
     Statement = [
       {
-        Sid       = "HTTPSOnly"
-        Effect    = "Deny"
-        Principal = "*"
-        Action    = "s3:*"
+        Sid    = "HTTPSOnly"
+        Effect = "Deny"
+        Principal = {
+          "AWS" : "*"
+        }
+        Action = "s3:*"
         Resource = [
           aws_s3_bucket.backup_reports.arn,
           "${aws_s3_bucket.backup_reports.arn}/*",
@@ -43,7 +26,18 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
             "aws:SecureTransport" = "false"
           }
         }
-      },
+      }
+    ]
+  })
+}
+
+resource "aws_s3_bucket_policy" "backup_reports_write_access" {
+  bucket = aws_s3_bucket.backup_reports.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "backup_reports_write_access_policy"
+    Statement = [
       {
         Sid    = "AllowBackupReportsWrite"
         Effect = "Allow"
@@ -64,6 +58,24 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
   })
 }
 
+resource "aws_s3_bucket_public_access_block" "backup_reports" {
+  bucket = aws_s3_bucket.backup_reports.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "backup_reports" {
+  bucket = aws_s3_bucket.backup_reports.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
 
 resource "aws_s3_bucket_ownership_controls" "backup_reports" {
   bucket = aws_s3_bucket.backup_reports.id
diff --git a/terraform/account-wide-infrastructure/modules/athena/s3.tf b/terraform/account-wide-infrastructure/modules/athena/s3.tf
@@ -2,12 +2,12 @@ resource "aws_s3_bucket" "athena" { # NOSONAR (S6258) - Logging not required for
   bucket = "${var.name_prefix}-athena"
 }
 
-resource "aws_s3_bucket_policy" "athena" {
-  bucket = "${var.name_prefix}-athena"
+resource "aws_s3_bucket_policy" "athena-https-only" {
+  bucket = aws_s3_bucket.athena.id
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Id      = "athena-policy"
+    Id      = "athena-https-only-policy"
     Statement = [
       {
         Sid    = "HTTPSOnly"
@@ -25,7 +25,18 @@ resource "aws_s3_bucket_policy" "athena" {
             "aws:SecureTransport" = "false"
           }
         }
-      },
+      }
+    ]
+  })
+}
+
+resource "aws_s3_bucket_policy" "athena-access" {
+  bucket = aws_s3_bucket.athena.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "athena-access-policy"
+    Statement = [
       {
         Sid : "AllowAthenaAccess",
         Effect : "Allow",
diff --git a/terraform/account-wide-infrastructure/modules/glue/s3.tf b/terraform/account-wide-infrastructure/modules/glue/s3.tf
@@ -4,7 +4,7 @@ resource "aws_s3_bucket" "source-data-bucket" { # NOSONAR (S6258) - Logging not
 }
 
 resource "aws_s3_bucket_policy" "source-data-bucket" {
-  bucket = "${var.name_prefix}-source-data-bucket"
+  bucket = aws_s3_bucket.source-data-bucket.id
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -79,7 +79,7 @@ resource "aws_s3_bucket" "target-data-bucket" { # NOSONAR (S6258) - Logging not
 }
 
 resource "aws_s3_bucket_policy" "target-data-bucket" {
-  bucket = "${var.name_prefix}-target-data-bucket"
+  bucket = aws_s3_bucket.target-data-bucket.id
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -132,7 +132,7 @@ resource "aws_s3_bucket" "code-bucket" { # NOSONAR (S6258) - Logging not require
 }
 
 resource "aws_s3_bucket_policy" "code-bucket" {
-  bucket = "${var.name_prefix}-code-bucket"
+  bucket = aws_s3_bucket.code-bucket.id
 
   policy = jsonencode({
     Version = "2012-10-17"
diff --git a/terraform/account-wide-infrastructure/modules/permissions-store-bucket/s3.tf b/terraform/account-wide-infrastructure/modules/permissions-store-bucket/s3.tf
@@ -9,25 +9,6 @@ resource "aws_s3_bucket" "authorization-store" { # NOSONAR (S6258) - Logging not
   }
 }
 
-resource "aws_s3_bucket_public_access_block" "authorization-store-public-access-block" {
-  bucket = aws_s3_bucket.authorization-store.id
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "authorization-store" {
-  bucket = aws_s3_bucket.authorization-store.bucket
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
 resource "aws_s3_bucket_policy" "authorization_store_bucket_policy" {
   bucket = aws_s3_bucket.authorization-store.id
 
@@ -54,6 +35,25 @@ resource "aws_s3_bucket_policy" "authorization_store_bucket_policy" {
   })
 }
 
+resource "aws_s3_bucket_public_access_block" "authorization-store-public-access-block" {
+  bucket = aws_s3_bucket.authorization-store.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "authorization-store" {
+  bucket = aws_s3_bucket.authorization-store.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
 resource "aws_s3_bucket_versioning" "authorization-store" {
   bucket = aws_s3_bucket.authorization-store.id
   versioning_configuration {
diff --git a/terraform/account-wide-infrastructure/prod/aws-backup.tf b/terraform/account-wide-infrastructure/prod/aws-backup.tf
@@ -3,31 +3,12 @@ resource "aws_s3_bucket" "backup_reports" { # NOSONAR (S6258) - Logging not requ
   bucket_prefix = "${local.prefix}-backup-reports"
 }
 
-resource "aws_s3_bucket_public_access_block" "backup_reports" {
-  bucket = aws_s3_bucket.backup_reports.id
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "backup_reports" {
-  bucket = aws_s3_bucket.backup_reports.bucket
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
+resource "aws_s3_bucket_policy" "backup_reports_https_only" {
   bucket = aws_s3_bucket.backup_reports.id
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Id      = "backup_reports_bucket_policy"
+    Id      = "backup_reports_https_only_policy"
     Statement = [
       {
         Sid       = "HTTPSOnly"
@@ -43,7 +24,18 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
             "aws:SecureTransport" = "false"
           }
         }
-      },
+      }
+    ]
+  })
+}
+
+resource "aws_s3_bucket_policy" "backup_reports_read_access" {
+  bucket = aws_s3_bucket.backup_reports.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "backup_reports_read_access"
+    Statement = [
       {
         Sid    = "AllowBackupReportsWrite"
         Effect = "Allow"
@@ -64,6 +56,24 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
   })
 }
 
+resource "aws_s3_bucket_public_access_block" "backup_reports" {
+  bucket = aws_s3_bucket.backup_reports.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "backup_reports" {
+  bucket = aws_s3_bucket.backup_reports.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
 
 resource "aws_s3_bucket_ownership_controls" "backup_reports" {
   bucket = aws_s3_bucket.backup_reports.id
diff --git a/terraform/account-wide-infrastructure/test/aws-backup.tf b/terraform/account-wide-infrastructure/test/aws-backup.tf
@@ -3,31 +3,12 @@ resource "aws_s3_bucket" "backup_reports" { # NOSONAR (S6258) - Logging not requ
   bucket_prefix = "${local.prefix}-backup-reports"
 }
 
-resource "aws_s3_bucket_public_access_block" "backup_reports" {
-  bucket = aws_s3_bucket.backup_reports.id
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "backup_reports" {
-  bucket = aws_s3_bucket.backup_reports.bucket
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
+resource "aws_s3_bucket_policy" "backup_reports_https_only" {
   bucket = aws_s3_bucket.backup_reports.id
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Id      = "backup_reports_bucket_policy"
+    Id      = "backup_reports_https_only_policy"
     Statement = [
       {
         Sid       = "HTTPSOnly"
@@ -43,7 +24,18 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
             "aws:SecureTransport" = "false"
           }
         }
-      },
+      }
+    ]
+  })
+}
+
+resource "aws_s3_bucket_policy" "backup_reports_read_access" {
+  bucket = aws_s3_bucket.backup_reports.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "backup_reports_read_access"
+    Statement = [
       {
         Sid    = "AllowBackupReportsWrite"
         Effect = "Allow"
@@ -64,6 +56,24 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
   })
 }
 
+resource "aws_s3_bucket_public_access_block" "backup_reports" {
+  bucket = aws_s3_bucket.backup_reports.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "backup_reports" {
+  bucket = aws_s3_bucket.backup_reports.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
 
 resource "aws_s3_bucket_ownership_controls" "backup_reports" {
   bucket = aws_s3_bucket.backup_reports.id
diff --git a/terraform/infrastructure/modules/firehose/s3.tf b/terraform/infrastructure/modules/firehose/s3.tf
@@ -3,16 +3,6 @@ resource "aws_s3_bucket" "firehose" { # NOSONAR (S6258) - Logging not required f
   force_destroy = true
 }
 
-resource "aws_s3_bucket_server_side_encryption_configuration" "firehose" {
-  bucket = aws_s3_bucket.firehose.id
-  rule {
-    apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.firehose.arn
-      sse_algorithm     = "aws:kms"
-    }
-  }
-}
-
 resource "aws_s3_bucket_policy" "firehose-policy" {
   bucket = aws_s3_bucket.firehose.id
 
@@ -39,6 +29,16 @@ resource "aws_s3_bucket_policy" "firehose-policy" {
   })
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "firehose" {
+  bucket = aws_s3_bucket.firehose.id
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.firehose.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
 resource "aws_s3_bucket_public_access_block" "firehose-public-access-block" {
   bucket = aws_s3_bucket.firehose.id
 
diff --git a/terraform/infrastructure/modules/permissions-store-bucket/s3.tf b/terraform/infrastructure/modules/permissions-store-bucket/s3.tf

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ resource "aws_s3_bucket" "source-data-bucket" { # NOSONAR (S6258) - Logging not`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`resource "aws_s3_bucket_policy" "source-data-bucket" {`
`7`		`- bucket = "${var.name_prefix}-source-data-bucket"`
	`7`	`+ bucket = aws_s3_bucket.source-data-bucket.id`
`8`	`8`
`9`	`9`	`policy = jsonencode({`
`10`	`10`	`Version = "2012-10-17"`
`@@ -79,7 +79,7 @@ resource "aws_s3_bucket" "target-data-bucket" { # NOSONAR (S6258) - Logging not`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`resource "aws_s3_bucket_policy" "target-data-bucket" {`
`82`		`- bucket = "${var.name_prefix}-target-data-bucket"`
	`82`	`+ bucket = aws_s3_bucket.target-data-bucket.id`
`83`	`83`
`84`	`84`	`policy = jsonencode({`
`85`	`85`	`Version = "2012-10-17"`
`@@ -132,7 +132,7 @@ resource "aws_s3_bucket" "code-bucket" { # NOSONAR (S6258) - Logging not require`
`132`	`132`	`}`
`133`	`133`
`134`	`134`	`resource "aws_s3_bucket_policy" "code-bucket" {`
`135`		`- bucket = "${var.name_prefix}-code-bucket"`
	`135`	`+ bucket = aws_s3_bucket.code-bucket.id`
`136`	`136`
`137`	`137`	`policy = jsonencode({`
`138`	`138`	`Version = "2012-10-17"`